We’ve been wondering for a few months now how malware mafias can hack so many web sites automatically to be exploited by MPack. Yesterday a few theories came to light, such as hinting that all the hacked servers all belong to the same virtual hosting server or the use of a ‘IFRAME Manager tool’. We’re familiar with this tool since about 4 months. It’s real name is ‘FTP-Toolz pack’ and it is being sold for $25. Here you can see a capture from a Russian forum where it was advertised for sale:

And the tool itself:

When we found MPack at the end of last year we also found also a similar tool named ‘RooT [iFrame]’ in one of the hacked servers. There is a funny thing about this one; if you buy it through the Russian version of the hacker’s website, it is just $25. In case you go to the English version of this hacker’s site, the price doubles, it’s $50. Finally we found yet another one named FTPCheckIframe, this time only in Russian and for $25.

 

Even though we are still wondering how they gain access to those servers, it seems that they make use of tools such as the ones mentioned and feed them a list of usernames and passwords, probably stolen by the same Trojans and keyloggers they have previously gathered or purchased. But… how to work with all that mess? I mean, they can have hundreds of thousands of ftp addresses with usernames and passwords, but they don’t know which ones are working, which ones have write access, etc.

 

Then we run into yet another tool, this time a PHP script that validates ftp accounts. The hacker loads the stolen account lists in a file called acc.txt, and by means of the script (ftp_check.php) he gets dumped the valid ones into a file called valid.txt.

 

So he can use that information with any of the previous programs: FTP-Toolz pack, RooT [iFrame] or FTPCheckIframe and automatically infect hundreds of thousands of web pages with the MPack IFRAME.